What’s the ‘holiday freeze’ and why does it put consumer data at risk?

With the holiday shopping season set to ramp up, retailers nationwide avoid rocking the boat with their point-of-sale software. This could pose problems, experts say.

As Baltimore sees its first snow of the season, security experts are ready to watch retailers go into what they call the “holiday freeze.”
A number of Target shoppers got an unwanted holiday surprise a year ago, when the retailer was the victim of a massive nationwide credit and debit card information theft at the height of the Black Friday rush.
Its timing was no coincidence, Ron Gula said.
Gula, CEO of Columbia’s Tenable Network Securitysays more breaches like it are likely, in part because of that “holiday freeze,” which refers to companies’ reluctance to rock the boat with patches and holiday season downtime for their point-of-sale systems.
“There could always be a breach. Certainly the number of people who have been compromised has been increasing, not decreasing,” Gula said. “Anybody who hasn’t had their turn yet is probably more likely than someone who has been attacked.”
In 2013, more than 30 million transactions were made on Black Friday and Cyber Monday, according to Tenable data, and nearly three-quarters of purchases were made using a card. On the other side of the counter, just over 10 percent of stores nationwide take adequate security measures and are spending less on network security now, too, with $4.1 million in protections this year, down from $4.3 million last year, according to Tenable data. And breaches, like that Target data theft, were up more than 26 percent last year.
Making matters worse is that retailers are reluctant to update — not because the IT department has collectively gone home for the month, Gula said, but because companies judge the cure could pose more short-term risk than the disease.
“The reality is you don’t want to be making changes during the busiest time of the year,” Gula said. “Every organization has its own story when it comes to the quality of the patches that they put out. I don’t care who you are. You could be the government, you could be a commercial store. You don’t have the ability to test the patches to the level the Microsofts, the Oracles do.”
However, Avi Rubin, a computer science professor at Johns Hopkins University and technical director of the university’s Information Security Institute, doesn’t believe attacks (and therefore, vulnerabilities) are necessarily limited to such times.
“They seem to crop up at arbitrary times,” Rubin said.
However, Rubin did put some stock in the idea that retailers leave themselves unprotected during the holiday rush.


“When you change your systems … things sometimes break and you want to make sure that things are up and running when you’re going to do a large percentage of your business,” Rubin said.

Earlier this month, Tenable released the newest version of its Nessus software, which scans individual and enterprise networks for security and compliance. The software automates scanning and detects malware.

Subscribe to our Newsletters
Technically Media
Connect with companies from the community
New call-to-action


Sign-up for daily news updates from